Security Statement

Password Setting

For security, the passwords you set shall meet the following requirements:

• It is recommended that the password must meet the minimum complexity requirement. That is, the password must contain at least three of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters `~!@#$%^&*()-_=+\|[{}];:'",.
• The password cannot be the same as the user name or its reverse.
• It is recommended that the password contain at least 6 characters.
• Keep passwords properly and change passwords periodically.

Cryptographic Algorithm

Cryptographic algorithms include AES, RSA, HMAC, and SHA2. Comply with the following suggestions to select an algorithm based on the scenario. Otherwise, your security defense requirements may fail to be met.

• Symmetric cryptographic algorithm: AES (128-bit or higher)
• Asymmetric cryptographic algorithm: RSA (2048-bit or higher)
• Hash algorithm: SHA2 (256-bit or higher)
• HMAC algorithm: HMAC-SHA2

As for the same algorithm, you are advised to use keys of a higher intensity.

Feature Conventions

• The purchased products, services, and features are stipulated by the contract made between Huawei Technologies Co., Ltd. and the customer. All or part of the products, services, and features described in this document may not be within the purchase scope or the usage scope.
• The information in this document is subject to change due to version upgrade or other reasons. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
• As for file transfer, you are advised to use the more secure SFTPv2, considering that FTP, TFTP, and SFTPv1 have security risks. As for login to a remote device, you are advised to use the more secure STelnetv2, considering that Telnet and STelnetv1 have security risks.
• SNMPv1, SNMPv2c, and SNMPv3 are available. SNMPv3 is recommended in that it is more secure than SNMPv1/SNMPv2c.
• As for authentication, HMAC-SHA, which is more secure than HMAC-MD5, is recommended.
• HTTP is poor in security. You are advised to use the more secure HTTPS.
• Use features in compliance with purposes and scope specified in laws and regulations.

The following features may involve the collection of users' communication contents. Huawei alone is unable to collect or save the content of users' communications. You are advised to enable the related functions based on the applicable laws and regulations in terms of purpose and scope of usage. In usage, you are obligated to take considerable measures to ensure that the content of users' communications is fully protected when the content is being used and stored.

• Mirroring port traffic of the router provides major reference for traffic statistic collection and analysis on the detecting device. This process, however, may involve collecting user communication data. You can choose whether to perform this operation. The detecting device automatically discards mirrored traffic after collecting statistics on the traffic.
• The collector receives and processes log information reported by the device, including traffic statistics and anomaly attack information, but does not collect user communication data. To analyze attack traffic signatures, the administrator can guide the system to capture samples of live network traffic for analysis. In this process, the sampling ratio is controlled to ensure that raw communication data cannot be completely restored. For details, see Privacy Statement.

Privacy Statement

This product is a network attack detection and defense system. During attack traffic analysis, it provides the function of capturing packets for analysis, which extracts attack signatures and facilitates attack defense. This function, however, may involve users' raw communication data.

To provide customers with traffic detection and attack traffic scrubbing services, this product sends email or SMS messages to customers for notification. Therefore, customers shall fill in relevant contact information. If customers do not want to receive these notifications, they can also skip this process.

This product protects privacy with the following measures:

1. Contact information stored on this product is for the sending of attack alarm notifications or reports only but not of irrelevant information and is not for other purposes.
2. This product captures packets only after the administrator customizes packet capture tasks instead of automatically.
3. By default, this product captures only packet headers. To capture more of the packets, the administrator must manually adjust the setting.
4. The default sampling ratio for packet capture is 1024:1 (that is, 1 packet is captured from every 1024 packets for analysis), and the maximum sampling ratio is 128:1. User communication data (voice, SMS, and email) cannot be restored in batches through captured packets.
5. This product stores captured packets as files and automatically deletes the files after a specified period of time, which is 3 months by default and 12 months at most.
6. This product provides the packet capture function for attack evidence collection and attack fingerprint extraction to alleviate attacks. This function does not process or analyze packet content.
7. The anti-DDoS device captures packets and sends packet capture files to the ATIC. The ATIC will in no way send the files to a third-party system.

You shall comply with applicable laws and regulations and take proper measures to secure personal data, such as properly allocating administrator permissions, and properly configuring packet capture rules, tasks, and file storage time.

Certificate Usage

• You are advised to replace the default certificate delivered with the device with a certificate of your own. In addition, you are advised to purchase a commercial certificate for security.
• When you log in to the ATIC management platform, the browser may prompt "There is a problem with this website's security certificate". You can continue browsing anyway. However, you are advised to install the correct CA certificate in the browser for security.
• A certificate usually has a validity period. Record the validity period of each certificate and apply for a new one before it expires.

Network Deployment

• Deploy the ATIC system on a trusted enterprise network, which shall have a full-fledged network access check and authentication mechanism to protect the ATIC system from hackers.
• During network deployment, you are advised to isolate networks and services through the ACL or VLAN mechanism. For example, deploy the ATIC server on an independent VLAN and disable irrelevant communications to reduce the risk of attack and data leak.
• To secure the ATIC system from network attacks, deploy a firewall or professional defense device in the upstream direction of the ATIC management center.
• To prevent software conflicts or mutual impacts, do not enable services that are not planned on the ATIC server or install other application software programs.

Software Installation and Upgrade

To ensure the integrity of the obtained software, use the OpenPGP to verify the software digital signature. Obtain the OpenPGP as follows:

Download it from http://support.huawei.com/enterprise:

1. Access http://support.huawei.com/enterprise.
2. Click Tools, search for OpenPGP, and use it for verification.

Download it from http://support.huawei.com:

1. Access http://support.huawei.com/carrier/digitalSignatureAction.
2. Click Download, download OpenPGP Signature Verification Guide, and decompress the downloaded package.
3. Further decompress the VerificationTools.zip package.
4. Access the decompressed VerificationTools folder and obtain the verification tool to perform verification.

Third-Party Software

The ATIC system uses the following third-party software programs:

• JDK is a Java development and running tool. You can access https://www.oracle.com/java/index.html to obtain the related document.
• Tomcat is an open-source software program. You can access http://tomcat.apache.org to obtain the related document.
• MySQL is an open-source database software program. You can access http://www.mysql.com to obtain the related document.
• Click in the upper right corner of the ATIC management center UI. In the lower part of the About page, click Open Source Software Notice.

Operation and Maintenance

Before maintenance operations, such as transferring troubleshooting-related data out of customer networks, technical engineers must get written authorization from customers. Operations beyond authorization are prohibited.

Back up before and exercise caution when you modify or delete files, logs, and configurations in the system.

Public IP Address Usage Declaration

For purposes of introducing features and giving configuration examples, the MAC addresses and public IP addresses of real devices are used in the product documentation. Unless otherwise specified, these addressees are used as examples only.